Failure for VIEW in different format or for other actions, if WikiStart has content protected by ProtectedMacro

[Anton Sergunov]

Plugin ProtectedMacro installed, and protected section present at WikiStart page.

1. anonymous user clicks register
2. Enters registration info and clicks register button
3. And gets

   WARNING: HTTPForbidden: 403 Forbidden (PROTECTED_VIEW privileges are required to perform this operation on WikiStart)
   

   No new user registered after all.

Log:

2009-11-11 02:25:03,145 Trac[main] DEBUG: Dispatching <Request "POST u'/register'">
2009-11-11 02:25:03,149 Trac[PyGIT] DEBUG: requested PyGIT.Storage instance 172181260 for 'store.git'
2009-11-11 02:25:03,150 Trac[git_fs] INFO: enabled CachedRepository for 'store.git'
2009-11-11 02:25:03,175 Trac[session] DEBUG: Retrieving session for ID '6d592e6eb3a54cde7af30a44'
2009-11-11 02:25:03,181 Trac[api] DEBUG: Checking permission called with: action(PROTECTED_VIEW), username(anonymous), resource(<Resource u'wiki:WikiStart'>), perm(<trac.perm.PermissionCache object at 0xa78698c>)
2009-11-11 02:25:03,182 Trac[api] DEBUG: Checking privacy of page WIKISTART
2009-11-11 02:25:03,183 Trac[api] DEBUG: Privacy check results []
2009-11-11 02:25:03,185 Trac[perm] DEBUG: No policy allowed anonymous performing PROTECTED_VIEW on <Resource u'wiki:WikiStart'>
2009-11-11 02:25:03,186 Trac[main] WARNING: HTTPForbidden: 403 Forbidden (PROTECTED_VIEW privileges are required to perform this operation on WikiStart)
2009-11-11 02:25:03,186 Trac[chrome] DEBUG: Prepare chrome data for request
2009-11-11 02:25:03,189 Trac[api] DEBUG: Checking permission called with: action(TICKET_CREATE), username(anonymous), resource(None), perm(<trac.perm.PermissionCache object at 0xa86ac0c>)
2009-11-11 02:25:03,189 Trac[perm] DEBUG: No policy allowed anonymous performing TICKET_CREATE on None
2009-11-11 02:25:03,190 Trac[api] DEBUG: Checking permission called with: action(TICKET_VIEW), username(anonymous), resource(None), perm(<trac.perm.PermissionCache object at 0xa86ac0c>)
2009-11-11 02:25:03,193 Trac[api] DEBUG: Checking permission called with: action(TRAC_ADMIN), username(anonymous), resource(None), perm(<trac.perm.PermissionCache object at 0xa86ac0c>)
2009-11-11 02:25:03,194 Trac[perm] DEBUG: No policy allowed anonymous performing TRAC_ADMIN on None
2009-11-11 02:25:03,195 Trac[api] DEBUG: Checking permission called with: action(PERMISSION_GRANT), username(anonymous), resource(None), perm(<trac.perm.PermissionCache object at 0xa86ac0c>)
2009-11-11 02:25:03,195 Trac[perm] DEBUG: No policy allowed anonymous performing PERMISSION_GRANT on None
2009-11-11 02:25:03,196 Trac[api] DEBUG: Checking permission called with: action(PERMISSION_REVOKE), username(anonymous), resource(None), perm(<trac.perm.PermissionCache object at 0xa86ac0c>)
2009-11-11 02:25:03,196 Trac[perm] DEBUG: No policy allowed anonymous performing PERMISSION_REVOKE on None
2009-11-11 02:25:03,197 Trac[api] DEBUG: Checking permission called with: action(TICKET_ADMIN), username(anonymous), resource(None), perm(<trac.perm.PermissionCache object at 0xa86ac0c>)
2009-11-11 02:25:03,197 Trac[perm] DEBUG: No policy allowed anonymous performing TICKET_ADMIN on None
2009-11-11 02:25:03,198 Trac[api] DEBUG: Checking permission called with: action(MILESTONE_VIEW), username(anonymous), resource(None), perm(<trac.perm.PermissionCache object at 0xa86ac0c>)
2009-11-11 02:25:03,199 Trac[api] DEBUG: Checking permission called with: action(BROWSER_VIEW), username(anonymous), resource(None), perm(<trac.perm.PermissionCache object at 0xa86ac0c>)
2009-11-11 02:25:03,199 Trac[perm] DEBUG: No policy allowed anonymous performing BROWSER_VIEW on None
2009-11-11 02:25:03,200 Trac[api] DEBUG: Checking permission called with: action(TIMELINE_VIEW), username(anonymous), resource(None), perm(<trac.perm.PermissionCache object at 0xa86ac0c>)
2009-11-11 02:25:03,201 Trac[api] DEBUG: Checking permission called with: action(ROADMAP_VIEW), username(anonymous), resource(None), perm(<trac.perm.PermissionCache object at 0xa86ac0c>)
2009-11-11 02:25:03,202 Trac[api] DEBUG: Checking permission called with: action(WIKI_VIEW), username(anonymous), resource(<Resource 'wiki'>), perm(<trac.perm.PermissionCache object at 0xa8a8cd4>)
2009-11-11 02:25:03,203 Trac[api] DEBUG: Checking permission called with: action(SEARCH_VIEW), username(anonymous), resource(None), perm(<trac.perm.PermissionCache object at 0xa86ac0c>)
2009-11-11 02:25:03,205 Trac[api] DEBUG: Checking permission called with: action(REPORT_VIEW), username(anonymous), resource(None), perm(<trac.perm.PermissionCache object at 0xa86ac0c>)
2009-11-11 02:25:03,210 Trac[api] DEBUG: Checking permission called with: action(EMAIL_VIEW), username(anonymous), resource(None), perm(<trac.perm.PermissionCache object at 0xa86ac0c>)
2009-11-11 02:25:03,210 Trac[perm] DEBUG: No policy allowed anonymous performing EMAIL_VIEW on None
2009-11-11 02:25:03,817 Trac[main] DEBUG: Dispatching <Request "GET u'/chrome/site/your_project_logo.png'">
2009-11-11 02:25:03,819 Trac[session] DEBUG: Retrieving session for ID '6d592e6eb3a54cde7af30a44'
2009-11-11 02:25:03,826 Trac[chrome] DEBUG: Prepare chrome data for request
2009-11-11 02:25:03,829 Trac[api] DEBUG: Checking permission called with: action(TICKET_CREATE), username(anonymous), resource(None), perm(<trac.perm.PermissionCache object at 0xa881c34>)
2009-11-11 02:25:03,830 Trac[perm] DEBUG: No policy allowed anonymous performing TICKET_CREATE on None
2009-11-11 02:25:03,831 Trac[api] DEBUG: Checking permission called with: action(TICKET_VIEW), username(anonymous), resource(None), perm(<trac.perm.PermissionCache object at 0xa881c34>)
2009-11-11 02:25:03,833 Trac[api] DEBUG: Checking permission called with: action(TRAC_ADMIN), username(anonymous), resource(None), perm(<trac.perm.PermissionCache object at 0xa881c34>)
2009-11-11 02:25:03,833 Trac[perm] DEBUG: No policy allowed anonymous performing TRAC_ADMIN on None
2009-11-11 02:25:03,834 Trac[api] DEBUG: Checking permission called with: action(PERMISSION_GRANT), username(anonymous), resource(None), perm(<trac.perm.PermissionCache object at 0xa881c34>)
2009-11-11 02:25:03,834 Trac[perm] DEBUG: No policy allowed anonymous performing PERMISSION_GRANT on None
2009-11-11 02:25:03,835 Trac[api] DEBUG: Checking permission called with: action(PERMISSION_REVOKE), username(anonymous), resource(None), perm(<trac.perm.PermissionCache object at 0xa881c34>)
2009-11-11 02:25:03,835 Trac[perm] DEBUG: No policy allowed anonymous performing PERMISSION_REVOKE on None
2009-11-11 02:25:03,835 Trac[api] DEBUG: Checking permission called with: action(TICKET_ADMIN), username(anonymous), resource(None), perm(<trac.perm.PermissionCache object at 0xa881c34>)
2009-11-11 02:25:03,836 Trac[perm] DEBUG: No policy allowed anonymous performing TICKET_ADMIN on None
2009-11-11 02:25:03,836 Trac[api] DEBUG: Checking permission called with: action(MILESTONE_VIEW), username(anonymous), resource(None), perm(<trac.perm.PermissionCache object at 0xa881c34>)
2009-11-11 02:25:03,837 Trac[api] DEBUG: Checking permission called with: action(BROWSER_VIEW), username(anonymous), resource(None), perm(<trac.perm.PermissionCache object at 0xa881c34>)
2009-11-11 02:25:03,837 Trac[perm] DEBUG: No policy allowed anonymous performing BROWSER_VIEW on None
2009-11-11 02:25:03,838 Trac[api] DEBUG: Checking permission called with: action(TIMELINE_VIEW), username(anonymous), resource(None), perm(<trac.perm.PermissionCache object at 0xa881c34>)
2009-11-11 02:25:03,839 Trac[api] DEBUG: Checking permission called with: action(ROADMAP_VIEW), username(anonymous), resource(None), perm(<trac.perm.PermissionCache object at 0xa881c34>)
2009-11-11 02:25:03,840 Trac[api] DEBUG: Checking permission called with: action(WIKI_VIEW), username(anonymous), resource(<Resource 'wiki'>), perm(<trac.perm.PermissionCache object at 0xa881f54>)
2009-11-11 02:25:03,842 Trac[api] DEBUG: Checking permission called with: action(SEARCH_VIEW), username(anonymous), resource(None), perm(<trac.perm.PermissionCache object at 0xa881c34>)
2009-11-11 02:25:03,843 Trac[api] DEBUG: Checking permission called with: action(REPORT_VIEW), username(anonymous), resource(None), perm(<trac.perm.PermissionCache object at 0xa881c34>)
2009-11-11 02:25:03,848 Trac[api] DEBUG: Checking permission called with: action(EMAIL_VIEW), username(anonymous), resource(None), perm(<trac.perm.PermissionCache object at 0xa881c34>)
2009-11-11 02:25:03,848 Trac[perm] DEBUG: No policy allowed anonymous performing EMAIL_VIEW on None

[Steffen Hoffmann]

Confirmed.

I've fiddled with a debugger to find the exact root cause for more than an hour without success, so will have to postpone this for now. Sorry for the delay, but as there is generally not much maintenance action for this plugin right now, there are much more urgent things to do than investigating some nasty plugin interaction effects. Still I'm not unwilling to proceed later. More information and even patches welcome.

Meanwhile removing the protected section from the Trac wiki front page has to be a reasonable workaround. I must confess, that I don't believe in this protected wiki stuff, even more since there are known issues for ProtectedMacro actually protecting this «protected» wiki content under all circumstances AFAIK.

[Steffen Hoffmann]

I take over responsibility, but more debugging still has to wait for many other issues here rated at higher importance.

However with [9199] the situation has improved at least a little bit, because now a successful registration would be announced to the user, while it still exits registration silently with protected content in WikiStart. Fact remains, that no user can register with this setting.

[Steffen Hoffmann]

Suddenly I've understood what's happening, and its definitely ProtectedMacro.pre_process_request IRequestFilter method, that is getting the request wrong. Easy to proof this:

1. pre-seed WikiStart with some protected content
2. goto a ticket page
3. click on a bottom link to view/download in an different format

This will raise the same permission error, complaining about mission permission for resource WikiStart. - Hey, why WikiStart? You called for /ticket/<n>m. Correct, that's another occasion revealing the same issue.

The bottom line is, that the aforementioned method is jumping on every request regardless of the path. If there's no page argument (like in '/register' or '/ticket/<m>'), it'll blindly assume it's getting called from within the wiki realm and 'WikiStart' should be the correct resource ID. Then it proceeds towards permission checking on WikiStart instead, what must fail for obvious reasons. You simply can't have a protected area on WikiStart without getting issues, or ProtectedMacro has to get a fix.

There are several possible ways to fix it, but I'd rather leave that to the discretion of the macro author/maintainer. Ask for a suggestion, if you can't work it out yourself, but note, that I don't want to act in a way, that could suggest endorsement for using this macro or more. Reason is, I don't believe in the general approach of this macro trying to protect content. It's too weak to be secure and work reliable, but still strong enough to spell trouble even for unaware third-parties, like demonstrated in this ticket. As a matter of fact AccountManagerPlugin has been under false accusation for this rather broad issue in ProtectedMacro for more than 3 years now.

[Steffen Hoffmann]

This is definitely a show-stopper for a number of actions on different, unrelated Trac realms. These may even be not supported (protected) by this wiki macro, like in case of the new user registration procedure of AccountManagerPlugin, so I feel it reasonable to demand, that they shouldn't be touched at all.